How to use amavisd-new with Courier
***********************************
by Martin Orr
There may be additional or more up-to-date information at:
http://www.martinorr.name/amavisd-new
WARNING: This README applies to the current version of the Courier patch,
and requires Net::Server version 0.90 or later. For older versions of
Net::Server please use old courier patch and refer to README.courier-old.
The design of courierfilter means that amavisd-new must behave somewhat
differently from the ways in which it normally behaves. This has two main
effects:
1. amavisd is started and stopped by courierfilter whenever Courier starts and
stops. You must not start, restart or stop it directly, but instead use
filterctl {start|stop} amavisd
(It is possible but not recommended to configure amavisd to be manually
started and stopped; see below under manual startup/shutdown mode.)
2. It is not possible to modify the headers of messages. This makes
amavisd-new/courierfilter of limited use for spam checking. If you want
spam checking, you should run spamd separately and pass mail to it either
using maildrop or from .courier files.
CONFIGURING AMAVISD
You will need to make a the following changes to amavisd.conf:
1. Comment out the lines setting $daemon_user, $daemon_group: amavisd will be
started as whatever user Courier runs as (not root) so is unable to change
to another user.
2. Set $forward_method to undef and $notify_method to
'pipe:flags=q argv=/usr/sbin/sendmail -f ${sender} -- ${recipient}'
If you wish to include "local" in your enablefiltering file, or you are using
a version of Courier older than 0.49.0, then you must instead use
'pipe:flags=q argv=perl -e $pid=fork();if($pid==-1){exit(75)}elsif($pid==0){exec(@ARGV)}else{exit(0)} /usr/sbin/sendmail -f ${sender} -- ${recipient}'
3. Set $courierfilter_shutdown to 1.
4. Set $unix_socketname to DIR/amavisd where DIR is the appropriate
courierfilter directory. You need to decide whether you want a mandatory
filter, in which case all mail passing through your server will be filtered,
or an optional filter, in which case only mail to local users will be
filtered, and your users will have the option of overriding filtering (you
will almost certainly want a mandatory filter). You should see the
courierfilter manpage for more details, and also for the correct directories
on your system (on mine, they are /var/lib/courier/allfilters for mandatory
filters and /var/lib/courier/filters for optional filters).
5. Replace any existing setting of $interface_policy{'SOCK'} with
$interface_policy{'SOCK'} = 'AM-SOCK';
$policy_bank{'AM-SOCK'} = { protocol => 'COURIER' };
CONFIGURING COURIER
Install amavisd or a link to it in /usr/lib/courier/filters (or whatever
directory is correct on your system - again, see the courierfilter manpage).
The name of this link must match the name of the socket in $unix_socketname.
Make sure that the enablefiltering file exists in your Courier configuration
directory (/etc/courier or equivalent) and contains "esmtp". If you wish to
include "local", to filter mail sent through the sendmail command, then you
must use the long forking value of $notify_method in step 2 above.
MESSAGE DESTINIES
As of amavisd-new 2.4.0, it is possible to use all message destinies with
Courier. D_REJECT is probably the best choice as the message (if infected of
course) is rejected in the original SMTP session, and never becomes your
responsibility to deliver or send a DSN. The client MTA receives the response
"550 5.7.1 Message content rejected".
RELEASING ITEMS FROM QUARANTINE
If you wish to be able to release items from quarantine using the AM.PDP
protocol, you must set this to use a TCP port. Include the following in
amavisd.conf:
$inet_socket_port = 9998;
$interface_policy{'9998'} = 'AM.PDP';
$policy_bank{'AM.PDP'} = {
protocol => 'AM.PDP',
inet_acl => [qw( 127.0.0.1 [::1] )] # restrict access to these IP addresses
};
Modify the amavisd-release script to use $socketname = '127.0.0.1:9998'.
MANUAL STARTUP/SHUTDOWN MODE
You may prefer to start and stop amavisd independently of Courier (perhaps
through its own init script). However this means that you are on your own in
ensuring that it is started at the right time, namely as soon as possible after
Courier is started (or restarted). Messages which arrive after Courier starts
but before amavisd is ready will simply not be filtered. However, starting
amavisd before Courier will unfortunately not work. If you wish to disable
virus checking you must not only stop amavisd but also remove the socket -
Courier will refuse to accept mail while the socket exists but amavisd is not
running.
To use manual startup/shutdown mode, do not put a link to amavisd in
/usr/lib/courier/filters and set $courierfilter_shutdown to 0.
If you are using manual startup/shutdown mode, you do need to set the
$daemon_user and $daemon_group variables. $daemon_user
can be whatever you like and $daemon_group must be the same group as Courier
runs as. In order to allow amavisd to create its socket you must either start
amavisd as root or make the filter directory group-writable.